diff mbox series

[meta-python,kirkstone,5/9] python3-django: Fix CVE-2024-41990

Message ID 20250110131802.2774557-6-soumya.sambu@windriver.com
State New
Headers show
Series [meta-python,kirkstone,1/9] python3-django: Fix CVE-2024-38875 | expand

Commit Message

ssambu Jan. 10, 2025, 1:17 p.m. UTC 
From: Soumya Sambu <soumya.sambu@windriver.com>

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
The urlize() and urlizetrunc() template filters are subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41990

Upstream-patch:
https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 .../python3-django/CVE-2024-41990.patch       | 69 +++++++++++++++++++
 .../python/python3-django_2.2.28.bb           |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch
new file mode 100644
index 000000000..f4be19520
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch
@@ -0,0 +1,69 @@ 
+From d0a82e26a74940bf0c78204933c3bdd6a283eb88 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Thu, 18 Jul 2024 13:19:34 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in
+ urlize and urlizetrunc template filters.
+
+Thanks to MProgrammer for the report.
+
+CVE: CVE-2024-41990
+
+Upstream-Status: Backport [https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/utils/html.py           | 18 ++++++++----------
+ tests/utils_tests/test_html.py |  2 ++
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index f1b74ab..84e157d 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -315,7 +315,11 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
+                         trimmed_something = True
+                         counts[closing] -= strip
+
+-            rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
++            amp = middle.rfind("&")
++            if amp == -1:
++                rstripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
++            else:
++                rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
+             if rstripped != middle:
+                 trail = middle[len(rstripped) :] + trail
+                 middle = rstripped
+@@ -323,15 +327,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
+
+             if trailing_punctuation_chars_has_semicolon() and middle.endswith(";"):
+                 # Only strip if not part of an HTML entity.
+-                amp = middle.rfind("&")
+-                if amp == -1:
+-                    can_strip = True
+-                else:
+-                    potential_entity = middle[amp:]
+-                    escaped = unescape(potential_entity)
+-                    can_strip = (escaped == potential_entity) or escaped.endswith(";")
+-
+-                if can_strip:
++                potential_entity = middle[amp:]
++                escaped = unescape(potential_entity)
++                if escaped == potential_entity or escaped.endswith(";"):
+                     rstripped = middle.rstrip(";")
+                     amount_stripped = len(middle) - len(rstripped)
+                     if amp > -1 and amount_stripped > 1:
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 715c1c6..5abab8d 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -274,6 +274,8 @@ class TestUtilsHtml(SimpleTestCase):
+             "[(" * 100_000 + ":" + ")]" * 100_000,
+             "([[" * 100_000 + ":" + "]])" * 100_000,
+             "&:" + ";" * 100_000,
++            "&.;" * 100_000,
++            ".;" * 100_000,
+         )
+         for value in tests:
+             with self.subTest(value=value):
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index dc7e12ad7..57ab72bc9 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -19,6 +19,7 @@  SRC_URI += "file://CVE-2023-31047.patch \
             file://CVE-2024-41989-0002.patch \
             file://CVE-2024-41989-0003.patch \
             file://CVE-2024-41989-0004.patch \
+            file://CVE-2024-41990.patch \
            "
 
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"